Channels

Services

Microsoft closes zero day hole in Internet Explorer

As previously announced, Microsoft has released the unscheduled security update to close the zero day vulnerability. The patch is to close the hole in all versions of Internet Explorer between 5.01 and 7 and is available for all current Windows versions. IE version 8 Beta 2 is also affected, and an update has been released for this version.

Users are advised to install the update for all versions immediately. IE users who have disabled Automatic Updates should re-enable this feature or manually download the patches. The necessary links are listed in the MS08-078 security bulletin.

The patch is said to at least protect users from the exploits that are currently in circulation on various web pages. In a short test by heise Security, several common exploits no longer worked after the patches were installed. Although the majority of compromised websites are porn pages, the exploits have also affected respectable pages. The web page of mainboard vendor Abit, for example, was reportedly infected via SQL injection.

The hole in Internet Explorer is caused by a data binding flaw which potentially causes an object to be discarded without updating the respective array length. This allows attackers to access the memory area occupied by the deleted object, which can be exploited to inject and execute malicious code. Unlike previously assumed, the problem can be exploited with techniques other than a flawed SPAN tag in XML document.